DemiMarie
commented
2 years ago If I turn off metalinks (by using baseurl), I expect none of the metalink code to run. The reason I would turn off metalinks is the reduced attack surface.
Open Conan-Kudo opened 3 years ago
DemiMarie
commented
2 years ago If I turn off metalinks (by using baseurl), I expect none of the metalink code to run. The reason I would turn off metalinks is the reduced attack surface.
Conan-Kudo
commented
2 years ago Yes, but the idea with this feature is that the repomd.xml and repomd.xml.asc files can be fetched from the master server, and all the RPMs can be fetched via metalink. That can be very useful from a security perspective without punishing a server's allotted bandwidth.
DemiMarie
commented
2 years ago Yes, but the idea with this feature is that the
repomd.xmlandrepomd.xml.ascfiles can be fetched from the master server, and all the RPMs can be fetched via metalink. That can be very useful from a security perspective without punishing a server's allotted bandwidth.
That is an improvement over using metalinks for everything, yes, but I would prefer if the metalinks were statically-generated and signed. This might require a Debian-style CDN, though. I am specifically worried about libxml2, which is a rather large C library.
openSUSE's mirror infrastructure is set up so that the download redirector will return metalink information upon request for each file when
"Accept: */*, application/metalink+xml, application/metalink4+xml"is passed in as a header.This is used by libzypp to be able to selectively metadata from the primary server and fetch packages from mirrors with failover. We should have support for this too.
This means, for example:
https://download.opensuse.org/tumbleweed/repo/oss/will have metadata fetched from the redirector and then everything else will be fetched from mirrors.Having support for this would also allow us to add similar capabilities to Fedora MirrorManager.